P0 App Documentation
Sign up for FreeSandbox
  • What Is P0?
    • πŸŽ›οΈIAM Dashboard
    • πŸ”ŽAccess Inventory
    • πŸͺ‘IAM Posture
    • ⏱️Just-In-Time Access
    • ♻️Service-Account Key Rotation
  • Getting Started
    • ⬇️Quick Start
    • 🎁Share P0 With Your Team
  • INVENTORY
    • πŸ—ΊοΈAccess Inventory
    • πŸ”¬Result Details
    • ❔Query Search
      • πŸ“–Search Reference
  • Posture
    • βš–οΈPosture Overview
  • Monitor Results
  • πŸ€”Finding Details
  • ORCHESTRATION
    • ⏰Just-in-time access
      • πŸ–οΈRequesting Access
        • πŸ‘‰For Another Party
      • 🏁Approving Access
        • Pre-approving Access
      • πŸ”€Request Routing
        • Google Cloud Filtering
        • AWS Filtering
  • Environments
    • ☁️Creating an Environment
    • πŸ““Environment Terminology
    • βš™οΈSettings
  • Integrations
    • πŸ“žNotifier integrations
      • πŸ’¬Slack
      • πŸ‘¬Microsoft Teams
      • πŸ“£Custom Notifier
    • πŸ”‘Resource integrations
      • ☁️Google Cloud
        • Requesting Access
        • Permissions Reference
          • Cloud Storage
          • Compute Engine
      • πŸ“¦AWS
        • Requesting Access
      • ☸️Kubernetes
        • Requesting Access
        • Advanced Requests
      • πŸ”‹PostgreSQL
        • Requesting Access
      • ❄️Snowflake
      • πŸ–₯️SSH
      • GitHub
        • Requesting Access
      • πŸ› οΈCustom Resource
    • πŸ‘₯Directory integrations
      • Microsoft Entra ID
        • Requesting Access
      • Google Workspace
      • Integrate P0 with Okta
    • βœ”οΈApproval integrations
      • πŸ””PagerDuty
    • πŸ”ŒSIEM Integrations
      • Splunk HEC Setup
  • P0 Management
    • 🎩Role-Based Access Control
Powered by GitBook
On this page
  • Prerequisites
  • Add the Kubernetes Cluster Integration
  1. Integrations
  2. Resource integrations

Kubernetes

PreviousRequesting AccessNextRequesting Access

Last updated 2 months ago

This topic describes how to add and configure P0’s Kubernetes integration so users can use P0 to grant access to a Kubernetes cluster.

Prerequisites

Ensure you have the following before continuing:

  • Access to an existing Amazon Web Services (AWS), Azure, or Google Cloud service with a .

You must have the cluster-admin role in the Kubernetes cluster.

  • The example in this topic demonstrates the process using Google Cloud. The processes for AWS and Azure are similar.

  • A command-line application such as:

    • Standard local terminal application that supports Secure Shell (SSH) (e.g., Terminal, Command, PowerShell, or Bash)

    • Cloud service-specific command-line (CLI) shell (, , or )

  • command-line tool

  • JSON processor

Add the Kubernetes Cluster Integration

To add the Kubernetes Cluster integration to the P0 application:

If you have multiple clusters, you can repeat these steps to integrate each.

  1. Select Integrations, navigate to the Resources section, and click Kubernetes.

  2. Click IAM management.

  3. On the IAM management screen, click + Add cluster.

  4. On the IAM management screen, populate the following fields to add the Kubernetes cluster to P0:

The screenshots below show where to get the values in the Google Cloud console.

  • Cluster identifier: ID of the cluster. Use the ID in the Name field under Cluster basics:

  • Cluster endpoint: IP address of the cluster in the form of https://<address>:[port]. Navigate to Control Plane Networking and use the Public endpoint:

  • The port is optional.

  • Ensure you use https:// and not http://, since HTTP is not supported.

  • Cluster certification authority: Base64-encoded certificate data that verifies the API server’s authenticity. Click Show cluster certificate to display a popup where you can copy the certificate:

Ensure you copy the certificate including the -----BEGIN CERTIFICATION----- and -----END CERTIFICATE----- statements and paste it into the Cluster certification authority in P0.

  • Network Connectivity:

    • Public: Select this if the cluster's API is accessible directly over the Internet.

    • P0 Proxy: Select this if you are routing through P0’s reverse HTTPS proxy (used for private network setups).

  • Hosting: Select your cloud provider (e.g. Google Cloud) and enter the cluster details (e.g., GCP Project ID, GKE cluster name, and Location for Google Cloud).

  1. At the bottom of the IAM management screen, click Next.

  2. Open Google Cloud Shell (recommended) or a local shell, and run the following command to log into Google Cloud: gcloud auth login

This displays Google’s login browser screen where you enter your login details.

  1. Return to P0’s IAM management screen and copy the kubectl commands provided

  1. Return to your shell, and paste the commands you just copied to enable P0’s admission controller. The output should look similar to the following:

namespace/p0-security created
serviceaccount/p0-service-account created
secret/p0-service-account-secret created
clusterrole.rbac.authorization.k8s.io/p0-service-role created
clusterrolebinding.rbac.authorization.k8s.io/p0-service-role-binding created
deployment.apps/p0-admission-controller created
service/p0-admission-controller created
validatingwebhookconfiguration.admissionregistration.k8s.io/p0-admission-controller created

  1. Return to the P0 IAM management screen, click Next, and copy the cluster token.

  1. In your shell, paste the command copied in the previous step to generate a token.

  2. Copy the resulting token from the shell, return to the P0 IAM management screen, and paste it into the Cluster token input field.

  3. Review the rest of the configuration and click Finish. P0 installs the integration and shows the cluster’s State as Installed once complete.

Congratulations, you have successfully integrated a Kubernetes cluster with P0 and can make access requests to it via P0’s Slack bot.

Open in your browser and log in.

If you chose the Network Connectivity P0 Proxy option , an additional deployment called braekhus is created, which acts as a proxy between P0 and the Kubernetes control plane. For additional information, see the .

For additional kubectl information, see .

To ensure your integration works see .

πŸ”‘
☸️
p0.app
braekhus GitHub repo
Install kubectl and configure cluster access
Requesting Access
Kubernetes cluster
AWS CLI
Azure CLI
Google Cloud
kubectl
jq
Prerequisites
Add the Kubernetes Cluster Integration
Test the Integration